Microsoft Azure Active Directory (AD) Connect has been available for many years as the first step to synchronize an Active Directory environment to the Microsoft Office 365 and Azure. With Azure AD Cloud Provisioning (Public Preview in February 2020), a new option has arrived (in public preview) to simplify certain complex scenarios. I couldn’t wait to blog about it when I read about this new tool and identity design option.
So let’s say you are planning to synchronize multiple Active Directory environments into the same Office 365 and Azure tenant. This is often the way forward for many companies with separate environments as the result of acquisitions and mergers over the years. And, while this configuration happens quite a bit, it adds a bit of complexity to the design. Since only one Azure AD Connect instance can sync to only one Azure AD and Office 365 tenant, Azure AD Connect must be in contact with each AD Forest. AD Forests must already be setup to communicate with each other using Active Directory Trusts or Active Directory Federation Services (ADFS). This configuration takes some experience to understand AD Forest design, namespaces, identities, and more to ensure everything works correctly. Additionally, the Azure AD Connect tool processes three areas as part of its on-premises agent: Provisioning Service, Provisioning Configuration, and Provisioning Engine.
Now let’s take the same environment of multiple Active Directory Forests syncing into a single tenant. We now have the option to install a lightweight agent into each Active Directory environment that will do all of the heavy lifting in the cloud (not on the server). No line of sight (AD Trusts or ADFS) is needed between each Active Directory Forest. No new ports are needed between the environments. All processing is now done in the cloud for these three activities: Provisioning Service, Provisioning Configuration, and Provisioning Engine. All of this helps to simplify the design when synchronizing multiple Active Directory Forests into one tenant. We also have the option to install multiple Azure AD Connect Cloud Provisioning agents into a single Active Directory Forest for high availability. Azure AD Connect has a limitation of one agent per Active Directory Forest.
Now that you are aware of the advantages of the new Azure AD Cloud Provisioning service, it is important to understand that its intended use is only when bringing multiple on-premises environments into one tenant. For simple scenarios where one Active Directory Forest environment is being synced with an Office 365 and Azure tenant it is best to use Azure AD Connect. At the time this article was published, this tool did not support the synchronization of device objects, custom AD attributes, attribute filtering, and password write-back. Be sure to the check the documentation link below for new information.
Azure AD Cloud Provisioning is in Public Preview as of February 2020. Be sure to review the documentation and tutorials below and setup your configuration in a lab environment to test. It should only be used in production once it is out of Public Preview status and in General Availability. The documentation contains a great chart of the capabilities differences between Azure Active Directory Connect Sync and Azure Active Directory Connect Cloud Provisioning.
